Support

A cookie is a piece of data stored by your browser or device that helps websites like this one recognize return visitors. We use cookies to give you the best experience on BNA.com. Some cookies are also necessary for the technical operation of our website. If you continue browsing, you agree to this site’s use of cookies.

Marketing Services

Bloomberg Next marketing services allow clients to elevate their brands and extend their reach through our established and trusted expertise, enhanced with engaging event production, appealing design, and compelling messaging.

The cybercriminals who perpetuated the “WannaCry” ransomware attack face penalties
and possible jail time if apprehended. But companies may face scrutiny from regulators
on both sides of the Atlantic, as well as consumer class actions if they failed to
provide adequate levels of security before and after the attack, attorneys said.

The real question in ransomware cases is “who knew what when,” Chris Dore, privacy
partner at Edelson PC in Chicago said. “If companies failed to take steps” to protect
its networks and knew about Microsoft’s patch “then there could be liability,”
he said. Companies may also face a litigation risk if they “promised customers that
they provided industry standard security,” but failed to prevent the ransomware attack,
he said.

The cost of the ransomware attack is still unknown, Lloyd’s of London CEO Inga Beale
said in a May 15 statement. But it is a “wake-up call for everyone,”
and staying ahead of the curve “is one of the biggest challenges when it comes to
cyber risk,” she said. Even without knowing the ultimate cost of WannaCry, the tab
for cyberattacks to the global economy may reach $1 trillion annually, according to
Bloomberg Intelligence.

Standard of Care

Marcy Wilder, a privacy and cybersecurity partner at Hogan Lovells (U.S.) LLP in Washington,
told Bloomberg BNA May 15 that the likelihood of regulatory enforcement actions depends
on the sector. Health-care institutions should be mindful that the Department of Health
and Human Services Office for Civil Rights (OCR) has taken the position that a ransomware
attack may be considered a data breach in certain situations, Wilder said.

In a July 2016 guidance, OCR said that most ransomware attacks on hospitals are data breaches that may trigger
investigations and reporting requirements. However, under the guidance, health-care
providers wouldn’t have to report ransomware attacks if the health data were encrypted
by the owner and unreadable to the intruder.

Elliot R. Golding, a data privacy and cybersecurity partner at Squire Patton Boggs
(U.S.)
LLP in Washington, told Bloomberg BNA May 15 that although there is no such thing
as 100 percent security, companies should look to see if they have taken steps to
implement “reasonable security.”
For many regulators, including the Federal Trade Commission, “security reasonableness
is fact-dependent,” Golding said.

Companies under the FTC’s jurisdiction—from internet giants Amazon.com Inc. and Facebook
Inc. to smaller businesses such as LabMD Inc.—have struggled with what level of data
security they must provide to convince the nation’s main data security and privacy
enforcement agency that their efforts to protect personal data are reasonable. The
FTC tells companies that the data security standard can be parsed by looking at the
lessons learned from numerous FTC consent decrees with alleged Section 5 violators,
as well as agency guidance.

According to Wilder, OCR is probably most likely to launch regulatory enforcement
actions as a result of WannaCry, and it is also possible that state attorneys general
will investigate. The FTC could launch enforcement actions, but it’s not as likely,
Wilder said.

Lisa M. Ropple, a cybersecurity partner at Jones Day in Boston, told Bloomberg BNA
May 15 that, although she can’t speak for what regulators may do, it is “neither fair
nor sensible to try to hold accountable the victim of a ransomware attack.” Ropple
added that “regulators shouldn’t look to victim companies, who were not responsible
for creating the software or the ransomware, to remedy the problem.”

When reached for comment, the FTC referred Bloomberg BNA to a
blog post on WannaCry.

Litigation Risk?

Many major cyberattacks lead to consumer class actions stemming from the security
incident. Yahoo! Inc., Target Corp., the Home Depot Corp., among other companies,
have faced such litigation. Dore said that many of the suits are brought under consumer
protection statutes or theories of negligence or breach of contract.

Scott L. Vernick, head of the data security and privacy practice at Fox Rothschild
LLP in Philadelphia, told Bloomberg BNA that he doesn’t expect similar activity to
arise out of the WannaCry ransomware attack. “At the moment there won’t be consumer
class actions,” but this could change depending on the specific facts of any future
class suit, he said.

Vernick said that companies may run into regulatory risks stemming from the ransomware
attack if they “haven’t been following best practices and haven’t been up front about
it.” In this instance, best practices would have been to “patch, patch, patch” because
“most regulators would say that routine patching needs to be done and would consider
it the standard of care,” he said.

Companies need to have “strong and workable backups,” Vernick said. It is not just
a matter of backing up the data, but rather about readily being able to access the
information, he said.

EU Technical Measures

European companies infected with WannaCry are at risk of lawsuits and regulatory enforcement
action if they haven’t adopted appropriate technical and organizational measures,
privacy professionals told Bloomberg BNA.

Organizations that don’t implement such measures and are subject to a ransomware attack
could be seen as breaching a legal obligation, and be open to lawsuits from affected
individuals seeking compensation, Eduardo Usturan, privacy and cybersecurity partner
at Hogan Lovells LLP in London, told Bloomberg BNA May 15.

Rafi Azim-Khan, a data privacy partner at Pillsbury, Winthrop, Shaw & Pittman LLP
in London, said companies that have failed to put in security measures in place could
face “liability and exposure to enforcement action for those businesses affected by
this ransomware attack.”

In the U.K., where many National Health Service (NHS) hospitals were hit by the ransomware,
the U.K.'s privacy regulator, the Information Commissioner’s Office (ICO), could bring
enforcement actions, attorneys told Bloomberg BNA.

The largest fine the the ICO has ever issued resulted from an organization that was
hacked after failing to update its software, Ustaran said.

All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to books@bna.com.

Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)

Notify me when updates are available (No standing order will be created).

This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to research@bna.com.

Put me on standing order

Notify me when new releases are available (no standing order will be created)